Description of problem: SELinux denies (read) access to /etc/host.deny (etc_runtime_t) for prelude-manager (prelude_t), so prelude-manager thinks "TLS handshake failed" and tells you have to register the sensor. Version-Release number of selected component (if applicable): selinux-policy-3.5.13-40.fc10.noarch selinux-policy-targeted-3.5.13-40.fc10.noarch prelude-manager-0.9.14.2-1.fc10.x86_64 How reproducible: Installed components on updated F10 virtual machine following this tutorial http://people.redhat.com/sgrubb/audit/prelude.txt to evaluate prelude. You will see the denial after step 7, when you try to start the first registered sensor. AVC: node=localhost.localdomain type=AVC msg=audit(1233565243.279:38): avc: denied { read } for pid=4658 comm="prelude-manager" name="hosts.deny" dev=dm-0 ino=112924 scontext=unconfined_u:system_r:prelude_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Resulting /var/log/messages-entries: Feb 2 10:00:42 prelude audispd: af_unix plugin initialized Feb 2 10:00:42 prelude audispd: audispd initialized with q_depth=512 and 2 active plugins Feb 2 10:00:43 prelude auditd[5569]: Init complete, auditd 1.7.11 listening for events (startup state enable) Feb 2 10:00:43 prelude prelude-manager: warning: cannot open /etc/hosts.deny: Permission denied Feb 2 10:00:43 prelude prelude-manager: WARNING: [127.0.0.1:37572]: tcp wrapper refused connection. Feb 2 10:00:43 prelude audisp-prelude: Unable to start prelude client: TLS handshake failed: A TLS packet with unexpected length was received..#012#012In order to register this sensor, please run:#012prelude-admin register auditd "idmef:w" 127.0.0.1 --uid 0 --gid 0#012#012Profile 'auditd' does not exist. In order to create it, please run:#012prelude-admin register "auditd" "idmef:w" <manager address> --uid 0 --gid 0 Feb 2 10:00:43 prelude audisp-prelude: audisp-prelude is exiting due to init_prelude failure Feb 2 10:01:01 prelude audispd: plugin /sbin/audisp-prelude terminated unexpectedly Feb 2 10:01:01 prelude prelude-manager: warning: cannot open /etc/hosts.deny: Permission denied Feb 2 10:01:01 prelude prelude-manager: WARNING: [127.0.0.1:37573]: tcp wrapper refused connection. Feb 2 10:01:01 prelude audisp-prelude: Unable to start prelude client: TLS handshake failed: A TLS packet with unexpected length was received..#012#012In order to register this sensor, please run:#012prelude-admin register auditd "idmef:w" 127.0.0.1 --uid 0 --gid 0#012#012Profile 'auditd' does not exist. In order to create it, please run:#012prelude-admin register "auditd" "idmef:w" <manager address> --uid 0 --gid 0 Feb 2 10:01:01 prelude audisp-prelude: audisp-prelude is exiting due to init_prelude failure
Dirk, you can allow this for now. # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Fixed in selinux-policy-3.5.13-44.fc10